|
|
b820dc3 |
From 219a3e8676f3132d27b530c7d2d6bcab89536b57 Mon Sep 17 00:00:00 2001
|
|
|
b820dc3 |
From: Kairui Song <kasong@redhat.com>
|
|
|
b820dc3 |
Date: Mon, 21 Jan 2019 17:59:28 +0800
|
|
|
b820dc3 |
Subject: [PATCH] integrity, KEYS: add a reference to platform keyring
|
|
|
b820dc3 |
|
|
|
b820dc3 |
commit 9dc92c45177a ("integrity: Define a trusted platform keyring")
|
|
|
b820dc3 |
introduced a .platform keyring for storing preboot keys, used for
|
|
|
b820dc3 |
verifying kernel image signatures. Currently only IMA-appraisal is able
|
|
|
b820dc3 |
to use the keyring to verify kernel images that have their signature
|
|
|
b820dc3 |
stored in xattr.
|
|
|
b820dc3 |
|
|
|
b820dc3 |
This patch exposes the .platform keyring, making it accessible for
|
|
|
b820dc3 |
verifying PE signed kernel images as well.
|
|
|
b820dc3 |
|
|
|
b820dc3 |
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
|
|
|
b820dc3 |
Signed-off-by: Kairui Song <kasong@redhat.com>
|
|
|
b820dc3 |
Cc: David Howells <dhowells@redhat.com>
|
|
|
b820dc3 |
[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix]
|
|
|
b820dc3 |
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
|
|
|
b820dc3 |
---
|
|
|
b820dc3 |
certs/system_keyring.c | 10 ++++++++++
|
|
|
b820dc3 |
include/keys/system_keyring.h | 8 ++++++++
|
|
|
b820dc3 |
security/integrity/digsig.c | 3 +++
|
|
|
b820dc3 |
3 files changed, 21 insertions(+)
|
|
|
b820dc3 |
|
|
|
b820dc3 |
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
|
|
|
b820dc3 |
index 81728717523d..da055e901df4 100644
|
|
|
b820dc3 |
--- a/certs/system_keyring.c
|
|
|
b820dc3 |
+++ b/certs/system_keyring.c
|
|
|
b820dc3 |
@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
|
|
|
b820dc3 |
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
|
|
b820dc3 |
static struct key *secondary_trusted_keys;
|
|
|
b820dc3 |
#endif
|
|
|
b820dc3 |
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
|
|
|
b820dc3 |
+static struct key *platform_trusted_keys;
|
|
|
b820dc3 |
+#endif
|
|
|
b820dc3 |
|
|
|
b820dc3 |
extern __initconst const u8 system_certificate_list[];
|
|
|
b820dc3 |
extern __initconst const unsigned long system_certificate_list_size;
|
|
|
b820dc3 |
@@ -266,3 +269,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
|
|
|
b820dc3 |
EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
|
|
|
b820dc3 |
|
|
|
b820dc3 |
#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
|
|
|
b820dc3 |
+
|
|
|
b820dc3 |
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
|
|
|
b820dc3 |
+void __init set_platform_trusted_keys(struct key *keyring)
|
|
|
b820dc3 |
+{
|
|
|
b820dc3 |
+ platform_trusted_keys = keyring;
|
|
|
b820dc3 |
+}
|
|
|
b820dc3 |
+#endif
|
|
|
b820dc3 |
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
|
|
|
b820dc3 |
index 359c2f936004..42a93eda331c 100644
|
|
|
b820dc3 |
--- a/include/keys/system_keyring.h
|
|
|
b820dc3 |
+++ b/include/keys/system_keyring.h
|
|
|
b820dc3 |
@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void)
|
|
|
b820dc3 |
}
|
|
|
b820dc3 |
#endif /* CONFIG_IMA_BLACKLIST_KEYRING */
|
|
|
b820dc3 |
|
|
|
b820dc3 |
+#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
|
|
|
b820dc3 |
+ defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
|
|
|
b820dc3 |
+extern void __init set_platform_trusted_keys(struct key *keyring);
|
|
|
b820dc3 |
+#else
|
|
|
b820dc3 |
+static inline void set_platform_trusted_keys(struct key *keyring)
|
|
|
b820dc3 |
+{
|
|
|
b820dc3 |
+}
|
|
|
b820dc3 |
+#endif
|
|
|
b820dc3 |
|
|
|
b820dc3 |
#endif /* _KEYS_SYSTEM_KEYRING_H */
|
|
|
b820dc3 |
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
|
|
|
b820dc3 |
index f45d6edecf99..e19c2eb72c51 100644
|
|
|
b820dc3 |
--- a/security/integrity/digsig.c
|
|
|
b820dc3 |
+++ b/security/integrity/digsig.c
|
|
|
b820dc3 |
@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
|
|
|
b820dc3 |
pr_info("Can't allocate %s keyring (%d)\n",
|
|
|
b820dc3 |
keyring_name[id], err);
|
|
|
b820dc3 |
keyring[id] = NULL;
|
|
|
b820dc3 |
+ } else {
|
|
|
b820dc3 |
+ if (id == INTEGRITY_KEYRING_PLATFORM)
|
|
|
b820dc3 |
+ set_platform_trusted_keys(keyring[id]);
|
|
|
b820dc3 |
}
|
|
|
b820dc3 |
|
|
|
b820dc3 |
return err;
|
|
|
b820dc3 |
--
|
|
|
b820dc3 |
2.20.1
|
|
|
b820dc3 |
|